Introducing utrace [LWN.net]

The interface for tracing programs under Linux is the ptrace() system call. It is used primarily by debuggers, but there are other applications too; User-mode Linux can use ptrace(), for example. The interface gets the job done, but there are few system calls which endure more criticism. The list of ptrace() shortcomings is long, its interface is difficult for user-space developers to use and for kernel-space developers to maintain, it is inefficient, and it has been the source of more than one security problem over the years. Still, ptrace() endures; it is part of the user-space API and there is nothing better available.

Soon there may be a better alternative, in the form of the "utrace" patch (by Roland McGrath) which is currently in the -mm tree. Utrace replaces ptrace() entirely, while maintaining the same interface to user space. As such, it is a useful cleanup of a difficult system call. The real value of utrace, however, is likely to be seen in new tracing interfaces in the future.

The core utrace code does not interface with user space at all; instead, it is an in-kernel API which can be used to build kernel-based tracing mechanisms. These mechanisms are based around the concept of a "tracing engine," which is defined by the usual structure full of method pointers. This structure (struct utrace_engine_ops) has fourteen callbacks, each covering something which the traced process might do or have done to it. For example, one callback is:

    u32 (*report_syscall_entry)(struct utrace_attached_engine *engine,
				struct task_struct *tsk,
				struct pt_regs *regs);

Whenever the traced process invokes a system call, the tracing engine will (if it has asked for this event) receive a call to its report_syscall_entry() callback. The call happens at a "safe" time before the system call is executed; no locks are held, and the tracing process can safely access the traced process's state. The callback returns a bitmask specifying what happens next; the bitmask can change the tracing state, detach the engine, hide the event from other tracing engines, and more.

A tracing engine is put into service with:

    struct utrace_attached_engine *
    utrace_attach(struct task_struct *target, int flags,
	      	  const struct utrace_engine_ops *ops, 
		  unsigned long data);

This call will attach the engine to the given target process. There can be more than one engine attached to any given process - a significant difference from ptrace(). A newly-attached engine does not actually do anything, one can think of it as being in an idling state. Putting the engine into gear requires setting one or more action flags with:

    int utrace_set_flags(struct task_struct *target,
			 struct utrace_attached_engine *engine,
			 unsigned long flags);

There is a special flag (UTRACE_EVENT(QUIESCE)) which puts the target process into a quiescent state. In general, operating on the task first requires setting this flag, then waiting for a callback (to the report_quiesce() engine method) that says the process is truly stopped. There is a whole other set of events which can be requested: forking, execing a new program, receiving a signal, process death, system call entry and exit, etc. Single-stepping through instructions and program blocks is also handled through the event mechanism.

A signal can be forced into the target process with:

    int utrace_inject_signal(struct task_struct *target,
			     struct utrace_attached_engine *engine,
			     u32 action, siginfo_t *info,
			     const struct k_sigaction *ka);

Signals injected in this manner are delivered to the target process immediately; they are not queued in the usual manner.

There is more to the utrace API than is described in this brief overview, including an API for describing and working with CPU registers; see the excellent documentation file packaged with the patch for more details. Also included with the patch is a complete reimplementation of ptrace() built on top of utrace.

Reimplementing ptrace() is only so interesting, however, even if the result is a big improvement. The real purpose behind utrace looks to be to inspire the creation of the next generation of user-space process tracing APIs, and more. Roland told your editor:

The intent of the utrace API is not just to facilitate my writing the one great new userland API to replace ptrace. Its core purpose is to put writing a new user debugging facility more on par with writing a software device driver, a filesystem, or a network stack, so that many people can come up with ideas and experiment without doing brain surgery every time. It ties up the really nasty low-level implementation issues, and lets different unrelated facilities coexist without interfering with each other.

In other words, while utrace should enable the eventual retirement of ptrace(), there is more coming than that. If and when utrace makes it into the mainline, look for it to inspire interesting developments in a number of areas.

(Log in to post comments)

Introducing utrace..

Posted Mar 8, 2007 3:34 UTC (Thu) by AdHoc (subscriber, #1115) [Link]

I was going to ask how this compares to dtrace. With proper userspace support, with this eventually allow similar tracing?

Introducing utrace..

Posted Mar 8, 2007 3:49 UTC (Thu) by danpb (subscriber, #4831) [Link]

There is already an open source tool providing many of the DTrace capabilities called SystemTap which was started a couple of years ago by a group of developers from Red Hat, IBM, Intel & Hitachi:

http://sourceware.org/systemtap/

Currently SystemTap is focused on kernelspace probing, via the kprobes capability. This new UTrace infrastructure has potential as a way to let SystemTap probe userspace too. Another project which may be able to make use of UTrace is Frysk, which is a broader userspace debugger / execution analysis tool:

http://sourceware.org/frysk/

Introducing utrace..

Posted Mar 8, 2007 14:53 UTC (Thu) by zdzichu (subscriber, #17118) [Link]

DTrace is open source since the beginning.

Introducing utrace..

Posted Mar 12, 2007 15:37 UTC (Mon) by drag (subscriber, #31333) [Link]

Yea. And 'FREE software' also, buy the RMS/FSF definition.

Just not GPL-compatable.

systrace reworking? I/O metrics patch?

Posted Mar 8, 2007 7:58 UTC (Thu) by AnswerGuy (guest, #1256) [Link]

Two questions come to mind regarding this.

Could systrace be reworked to use the utrace framework? (Because the
semantics around the example specified that no locks were held and
the process' memory was quiescent at the syscall entry ... prior
to execution). I'd love to see systrace merged into the mainline.

The other question would be if it would be possible to built an I/O
metrics patch around this. For years I've wished that we'd get the
atop I/O metrics (kernel-patch-atopcnt package on Debian) merged.
Often enough, when we see that a system is I/O bound, we want to know
which process(es) is (are) hogging which I/O channel(s). A utrace
approach wouldn't be the same (wouldn't be feasible for an atop like
tool). However, it could be used to selectively check on the I/O
behavior of specific processes ... to perform spot checks and undergo
a process of elimination.

JimD